OPNsense Forum
English Forums => General Discussion => Topic started by: spetrillo on January 24, 2021, 02:35:31 am
-
Hello all,
I have an Apache web server setup on a vm on my home network. I setup two port forwards, one for HTTP and one for HTTPS. Is there anything else I need to be able to see the web server from the outside?
Thanks,
Steve
-
Firewall rules on WAN generally, although by default OPNsense will set up associated rules when you set up the port forwards
-
PS - if OPNsense is configured properly but you still can’t connect, check that your ISP is not blocking 80 and 443 inbound - many do, and if so you might be able to ask them to remove the block
-
Yes I have the port forwards and the fw rules setup. I am going to check with my ISP.
-
Use nginx and lets encrypt.
https://wiki.slemoal.fr/index.php/OPNSense_os-acme-client
And
https://wiki.slemoal.fr/index.php/OPNSense_NGINX
-
Use nginx and lets encrypt.
https://wiki.slemoal.fr/index.php/OPNSense_os-acme-client
And
https://wiki.slemoal.fr/index.php/OPNSense_NGINX
Are you using the Nginx plugin?
-
yes it's a great plugin :)
-
it allows me to host several websites at home by redirecting my subdomains to my public ip. nginx takes care of analyzing the origin of the subdomain in order to redirect it to the right server.
-
it allows me to host several websites at home by redirecting my subdomains to my public ip. nginx takes care of analyzing the origin of the subdomain in order to redirect it to the right server.
Are you using the plugin as your defacto web server or are you just using it to point to your web server? For example I have spun up an Ubuntu vm on my home network and installed Wordpress on it. It is now a working website. What I cannot seem to figure out is how do I tie the IP of the internal vm/web server to the www name I want to use. That seems to be my missing piece. I have A records in the domain's DNS pointing www to my public IP but that does not seem to do the trick. Its like I am missing something on OPNsense that equates www.my-domain.com to the internal IP of my vm/web server.
Make sense? Clear as mud?
-
All you should need to do is port forward ports 80 and 443 from your router to the VM. If the webserver is listening on www.my-domain.com, then that should work
Post your port forward config, as there may be something wrong with it
-
But really, as chocapic suggested, having nginx as the primary webserver, serving content itself and/or proxying other webservers, is a great idea.
I run nginx as a reverse proxy for about 9 backend webservers in my network (plus have nginx running its own basic frontend). My nginx webserver runs in a LXD container in my network, not on OPNsense itself, but the concept is the same.
Running it on OPNsense means you don’t need any port forwards, just need to open ports 80 and 443 so that the nginx server can receive external requests and serve or proxy the relevant content on the various domains/subdomains. Also means you only have to configure SSL termination in one place.
Edit: I should add that I run nginx in a container because I am somewhat paranoid about security. If nginx ever gets compromised, the damage is limited. I don’t like running extraneous services on OPNsense for that reason
-
All you should need to do is port forward ports 80 and 443 from your router to the VM. If the webserver is listening on www.my-domain.com, then that should work
Post your port forward config, as there may be something wrong with it
Here are my port forwards and WAN rules.
-
But really, as chocapic suggested, having nginx as the primary webserver, serving content itself and/or proxying other webservers, is a great idea.
I run nginx as a reverse proxy for about 9 backend webservers in my network (plus have nginx running its own basic frontend). My nginx webserver runs in a LXD container in my network, not on OPNsense itself, but the concept is the same.
Running it on OPNsense means you don’t need any port forwards, just need to open ports 80 and 443 so that the nginx server can receive external requests and serve or proxy the relevant content on the various domains/subdomains. Also means you only have to configure SSL termination in one place.
Edit: I should add that I run nginx in a container because I am somewhat paranoid about security. If nginx ever gets compromised, the damage is limited. I don’t like running extraneous services on OPNsense for that reason
Could it be as simple as the reverse proxy to my vm?
-
Can’t see anything wrong with your port forwards/rules. I assume FIOS = WAN. Maybe then the issue is that your apache server is not configured to listen on the domain/subdomain.
In answer to your second question, yes a nginx reverse proxy would work
-
Can’t see anything wrong with your port forwards/rules. I assume FIOS = WAN. Maybe then the issue is that your apache server is not configured to listen on the domain/subdomain.
In answer to your second question, yes a nginx reverse proxy would work
I checked my Apache server and its setup correctly. Is there a good tutorial on how to setup the nginx plugin for reverse proxy? It looks complicated.
-
This may help: https://forum.opnsense.org/index.php?topic=19305.0
-
This may help: https://forum.opnsense.org/index.php?topic=19305.0
Yes I found it...one thing I am not sure about are the firewall rules needed?
-
Should be covered by the tutorial, but as I mentioned above, you need to allow ports 80 and 443 into the WAN interface. No port forwards though
-
Use nginx and lets encrypt.
https://wiki.slemoal.fr/index.php/OPNSense_os-acme-client
And
https://wiki.slemoal.fr/index.php/OPNSense_NGINX
show my tutorial
-
Something just hit me which I would like to confirm...
I could use the nginx plugin as my http/s server, in lieu of an Apache correct? If yes would I still be able to do a Wordpress site or does that eliminate that since its leverages Apache?
-
https://wordpress.org/support/article/nginx/
But if it were me, I wouldn’t be hosting a Wordpress site on my firewall
-
I had a similar problem, and I tried to figure out what the problem was for a long time. I managed to do it only after a couple of hours. It turns out that the firewall on the router was spoiling packets. I prescribed a rule for the local web server and got access. Now I'm looking at iptables on the router and looking for a rule for the wifi interface to understand which rule was passed to the wifi machine.
Of course, this is more difficult than doing Managed WordPress hosting (https://mywebadvantage.com/wordpress-hosting-plans/), but specialists with individual skills are needed in any field. I think that such a model is in the future. If everyone goes about their business, we can achieve new results.
-
The hosting capability is very restricted as the nginx plugin is running on a firewall appliance. For example, you may not get a database driver you need etc.
It can serve static files or PHP files with not that many PHP extension requirements. So the best thing is to forward the connection to your apache httpd you have already prepared using the nginx reverse proxy. Usually you have to set one or two values on a page and leave the rest at the defaults.
And yes, you could also use nginx on the backend server instead of apache httpd. But that is your application server, you are going to configure and does not matter from OPNsense's point of view.
If OPNsense cannot reach your apache httpd, then check the following:
* does the target host have its own firewall and is it properly configured (allows access from OPNsense to the target application) -> nftables / iptables on linux
* does the apache httpd listen on the correct IP address and port?